Using two certificates in Hashicorp Vault on Kubernetes

I am running Hashicorp Vault server (v1.5.4) in Kubernetes which I configured using the official Helm chart.

I want it to be connected to both the Internet and my private network (internet connectivity is needed for communication with Okta, which is my sole excuse to connect Vault to the internet), and since I want my Vault pods to terminate the TLS packets, I need to configure the application with two different certificates; One for requests coming from the internet, and the other for requests within the private network.

Because this is running on Kubernetes, I don’t have knowledge of the pod’s final IP at configuration time, so I couldn’t find a way to configure two different TCP listeners…

Here’s my current configuration, which I wish to double somehow so I can support another certificate:

listener "tcp" {
  address = "[::]:8200"
  cluster_address = "[::]:8201"
  tls_cert_file = "/etc/tls/tls.crt"
  tls_key_file  = "/etc/tls/tls.key"

Perhaps I’m missing something obvious?


Interesting use case. Yes, in Vault you can have multiple listner stanza’s… Here is an example from the Vault Listner Doc I have tested.

listener "tcp" {
  address = ""

listener "tcp" {
  address = ""

# Advertise the non-loopback interface
api_addr = ""
cluster_addr = ""

So in your case If you configure multiple listeners you also need to specify api_addr and cluster_addr so Vault will advertise the correct address to other nodes. I hope this helps you!!! :face_with_monocle:

1 Like

Hi @Cobra16319 :slight_smile:

My issue with your example is that I don’t have the pod’s IP (in your example at the time of writing the configuration since pods are rather transient creatures, so I am to believe I can only rely on [::], but sadly can’t use it twice in my config :confused:

Is this not a common use case though? I mean, what do people who want to use OIDC (in my case Okta) but be able to communicate with Vault via an internal network end up doing?

Btw, the helm chart takes care of the cluster_addr and api_addr quite splendidly :slight_smile:

Very good point! I did run into this

Looks like they do have [::], [::] twice in the config.

Keep me posted. I may try to spin this up and recreate it if you don’t find a solution becuase I am interested.

1 Like

They do, but they’re using different ports there.
Due to technical limitations, I am bound to use only one port, so that makes it quite problematic to use [::] twice in regards to address…